Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
0
Helpful
0
Replies

ASA NAT loopback only icmp works

Martin Thomas
Level 1
Level 1

‎06-08-2020 06:02 PM

hello experts
i am configuring NAT loopback on ASA 5516, thats mean mapping an http server to internet for example, access it from ASA internal via the public IP address, my problem is the access only icmp works, it reachable, but with any other TCP for example 443 doesn't.
also access the public from internet (ASA outside) all works well, could you help whats wrong with it? below is the configuration. i am really confused did try anything i can but not helpful, please support.
thanks


ciscoasa(config)# sh run
: Saved
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 6.6.6.6 255.255.255.252
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.135.16.2 255.255.255.0

same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network WebHTTP
 host 192.168.10.229
object network CoreSW
 host 192.168.10.254
object network WebPubIP
 host 8.8.8.8
object service TCP443
 service tcp destination eq https
object service test
 service tcp
object-group network LocalLAN
 network-object 10.135.16.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object 192.168.30.0 255.255.255.0

access-list inside-acl extended permit ip any any
access-list inside-acl extended permit icmp any any
access-list outside-acl extended permit icmp any any
access-list outside-acl extended permit tcp any host 192.168.10.229 eq https
access-list outside-acl extended permit tcp any4 host 192.168.10.229 eq 10022

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,inside) source static LocalLAN LocalLAN destination static WebPubIP WebHTTP no-proxy-arp
nat (inside,inside) source static LocalLAN LocalLAN destination static WebPubIP WebHTTP net-to-net
nat (inside,inside) source static LocalLAN LocalLAN destination static WebPubIP WebHTTP service any TCP443
nat (inside,inside) source static LocalLAN LocalLAN destination static WebPubIP WebHTTP service TCP443 TCP443
nat (inside,inside) source static LocalLAN LocalLAN destination static WebPubIP WebHTTP service test test
nat (inside,inside) source static LocalLAN LocalLAN destination static WebPubIP WebHTTP service any test
!
object network obj_any
 nat (any,outside) dynamic interface
object network WebHTTP
 nat (inside,outside) static 8.8.8.8

access-group outside-acl in interface outside
access-group inside-acl in interface inside
access-group inside-acl out interface inside
route outside 0.0.0.0 0.0.0.0 6.6.6.5 1

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents